diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-15 10:40:15 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-16 00:23:24 +0200 |
| commit | cb70df2d4b17dd3d54d89a46e3aee22f3c131854 (patch) | |
| tree | 3c7210a4090139e9045a85bf73322b5002d1f573 /ioriotng.bpf.c | |
| parent | 6d2ae77ccb31844c6c366911ee1b4bc43bd691f6 (diff) | |
switch from perf maps to ring buffer
Diffstat (limited to 'ioriotng.bpf.c')
| -rw-r--r-- | ioriotng.bpf.c | 98 |
1 files changed, 44 insertions, 54 deletions
diff --git a/ioriotng.bpf.c b/ioriotng.bpf.c index e4286c2..3eaf160 100644 --- a/ioriotng.bpf.c +++ b/ioriotng.bpf.c @@ -4,6 +4,7 @@ #include "opids.h" #include <bpf/bpf_helpers.h> #include "maps.bpf.h" +#include "ringbufs.bpf.h" static inline int filter() { u32 key = 1; @@ -11,63 +12,53 @@ static inline int filter() { return flagsp == NULL || (bpf_get_current_uid_gid() & 0xFFFFFFFF) != flagsp->uid_filter; } -SEC("tracepoint/syscalls/sys_enter_open") -int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { if (filter()) return 0; - u32 tid = bpf_get_current_pid_tgid(); + struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0); + if (!ev) + return 0; - struct open_event open_event = {}; - bpf_probe_read_user_str(open_event.filename, sizeof(open_event.filename), (void *)ctx->args[0]); - bpf_get_current_comm(&open_event.comm, sizeof(open_event.comm)); - open_event.tid = tid; - open_event.enter_time = bpf_ktime_get_ns(); + ev->op_id = OPENAT_ENTER_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); - bpf_map_update_elem(&open_event_temp_map, &tid, &open_event, BPF_ANY); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_open") -int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { if (filter()) return 0; - u32 tid = bpf_get_current_pid_tgid(); - struct open_event *open_eventp = bpf_map_lookup_elem(&open_event_temp_map, &tid); - if (!open_eventp) { - return 0; - } - open_eventp->exit_time = bpf_ktime_get_ns(); - open_eventp->fd = ctx->ret; - bpf_perf_event_output(ctx, &open_event_map, BPF_F_CURRENT_CPU, open_eventp, sizeof(struct open_event)); - bpf_map_delete_elem(&open_event_temp_map, &tid); - - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { - if (filter()) + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) return 0; - u32 tid = bpf_get_current_pid_tgid(); + ev->op_id = OPENAT_EXIT_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = ctx->ret; - struct open_event open_event = {}; - - bpf_probe_read_user_str(open_event.filename, sizeof(open_event.filename), (void *)ctx->args[1]); - bpf_get_current_comm(&open_event.comm, sizeof(open_event.comm)); - open_event.tid = tid; - open_event.enter_time = bpf_ktime_get_ns(); - bpf_map_update_elem(&open_event_temp_map, &tid, &open_event, BPF_ANY); + bpf_ringbuf_submit(ev, 0); return 0; } -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { - return handle_exit_open(ctx); +SEC("tracepoint/syscalls/sys_enter_open") +int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { + return handle_enter_openat(ctx); +} + +SEC("tracepoint/syscalls/sys_exit_open") +int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { + return handle_exit_openat(ctx); } SEC("tracepoint/syscalls/sys_enter_close") @@ -75,16 +66,16 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { if (filter()) return 0; - u32 tid = bpf_get_current_pid_tgid(); - - struct fd_event event = {}; - event.fd = (int)ctx->args[0]; - event.op_id = CLOSE; - event.tid = tid; - event.enter_time = bpf_ktime_get_ns(); + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; - bpf_map_update_elem(&fd_event_temp_map, &tid, &event, BPF_ANY); + ev->op_id = CLOSE_ENTER_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = (int)ctx->args[0]; + bpf_ringbuf_submit(ev, 0); return 0; } @@ -93,16 +84,15 @@ int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { if (filter()) return 0; - u32 tid = bpf_get_current_pid_tgid(); - - struct open_event *open_eventp = bpf_map_lookup_elem(&fd_event_temp_map, &tid); - if (!open_eventp) { + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) return 0; - } - open_eventp->exit_time = bpf_ktime_get_ns(); - bpf_perf_event_output(ctx, &fd_event_map, BPF_F_CURRENT_CPU, open_eventp, sizeof(struct fd_event)); - bpf_map_delete_elem(&fd_event_temp_map, &tid); + ev->op_id = CLOSE_EXIT_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + + bpf_ringbuf_submit(ev, 0); return 0; } |